#13 sslscan does not honor OpenSSL config options

v1.0 (example)
open
nobody
None
5
2013-12-14
2013-12-14
Jeffrey Walton
No

OpenSSL configured without SSLv2 produces the following compiler warning/error:

$ gcc -I /usr/local/ssl/macosx-x64/include/ /usr/local/ssl/macosx-x64/lib/libssl.a -o sslscan sslscan.c

sslscan.c:566:41: warning: implicit declaration of function
'SSLv2_client_method' is invalid in C99 [-Wimplicit-function-declaration]
...if (sslCipherPointer->sslMethod == SSLv2_client_method())

To configure OpenSSL without SSLv2:

$ ./config -no-ssl2

OpenSSL's configuration is stored in <openssl opensslconf.h="">:

$ cat /usr/local/ssl/macosx-x64/include/openssl/opensslconf.h | grep -b2 -a2 -i SSL2
...
738:#ifndef OPENSSL_NO_SSL2
762:# define OPENSSL_NO_SSL2
787-#endif
--
--
2009:# if defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
2060:# define NO_SSL2
2078-# endif

To detect it at compile time:

#include <openssl opensslconf.h="">

#if !defined(OPENSSL_NO_SSL2) && !defined(NO_SSL2)
if (sslCipherPointer->sslMethod == SSLv2_client_method())
...
#endif

Attached is an updated sslscan.c that fixes the SSLv2 issues. You should also test with SSLv3 disabled (i.e., use -no-ssl3). Most of the time I disable SSLv3 also; and I require it be disabled in all projects with security requirements that use OpenSSL.

1 Attachments

Discussion